SCIM configuration and I get an error "Using SCIM provisioning target [null]"

JakubFr

unread,

Aug 8, 2023, 1:18:30 AM8/8/23

to CAS Community

Hi.

On CAS, version 6.6, I've configured SCIM, but I'm getting this error.

INFO [] - <Attempting to execute provisioning ops for [XXXXX]>
DEBUG [] - <Using SCIM provisioning target [null]>
ERROR [] - <URI template of the newly created target must not be null.>

I have no idea why I'm getting this error.

I enabled option cas.scim.enabled=true in cas.properties and I have this service (scimTarget seems exists):

{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "^https://.+",
  "name" : "SCIM",
  "id" : 24,
  "properties" : {
    "@class" : "java.util.HashMap",
    "scimOAuthToken" : {
      "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "--REDACTED--" ] ]
    },
    "scimTarget" : {
      "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "https://eu.[--REDACTED--]/v2" ] ]
    }
  }
}

Any idea why I'm getting this error?

Thanks

Ray Bon

unread,

Aug 9, 2023, 12:55:39 PM8/9/23

to cas-...@apereo.org

Jakub,

This link, https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-Provisioning.html#scim-provisioner, leads to, https://apereo.github.io/cas/6.6.x/integration/SCIM-Integration.html, which lists a required field (among others):

cas.scim.target

Ray

On Mon, 2023-08-07 at 21:31 -0700, JakubFr wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Petr Bodnár

unread,

Aug 12, 2023, 7:59:48 AM8/12/23

to CAS Community, Ray Bon

Hi,

indeed, it looks like the "cas.scim.target" property is required. But when you access the CAS login page while passing it the JSON configured service (e.g. "/cas/login/?service=https://..."), CAS really can use the target from its definition instead. But when you don't, you get the error you see.

So maybe you want to make the configuration global instead of specific to a given service? Note that you use "serviceId" : "^https://.+" in your example JSON, which means de-facto any web application accessible via https://... will be allowed to use your CAS instance anyway, which might not be secure ("The definition of the url pattern must be done carefully because it can open security breaches.", to quote the docs).

Petr

Reply all

Reply to author

Forward